{"id":22117737,"url":"https://github.com/kineticcafe/actions-dco","last_synced_at":"2026-05-09T06:12:57.785Z","repository":{"id":174871697,"uuid":"644944067","full_name":"KineticCafe/actions-dco","owner":"KineticCafe","description":"GitHub Action that enforces Developer Certificate of Origin sign-off on Pull Requests","archived":false,"fork":false,"pushed_at":"2025-12-27T02:53:27.000Z","size":3609,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-28T20:58:45.452Z","etag":null,"topics":["actions","github-actions","typescript"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KineticCafe.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog.md","contributing":"Contributing.md","funding":".github/FUNDING.yml","license":"licenses/APACHE-2.0.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"halostatue","buy_me_a_coffee":"halostatue","ko_fi":"halostatue"}},"created_at":"2023-05-24T15:18:31.000Z","updated_at":"2025-12-27T02:53:30.000Z","dependencies_parsed_at":"2024-02-27T01:54:09.837Z","dependency_job_id":"9d0da6ef-1c38-4fbb-8298-b51d3305c7a0","html_url":"https://github.com/KineticCafe/actions-dco","commit_stats":null,"previous_names":["kineticcafe/actions-dco"],"tags_count":21,"template":false,"template_full_name":"actions/typescript-action","purl":"pkg:github/KineticCafe/actions-dco","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KineticCafe%2Factions-dco","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KineticCafe%2Factions-dco/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KineticCafe%2Factions-dco/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KineticCafe%2Factions-dco/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KineticCafe","download_url":"https://codeload.github.com/KineticCafe/actions-dco/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KineticCafe%2Factions-dco/sbom","scorecard":{"id":78839,"data":{"date":"2025-08-11","repo":{"name":"github.com/KineticCafe/actions-dco","commit":"41ccac559c7150e0e9ffea00785fd173c473e2ee"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7.4,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/6 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"14 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: Licence.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:   8 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   6 out of   6 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/check-dist.yml:26","Info: jobLevel 'contents' permission set to 'read': .github/workflows/dco.yml:14","Info: jobLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:22","Info: jobLevel 'contents' permission set to 'read': .github/workflows/zizmor.yml:21","Info: jobLevel 'actions' permission set to 'read': .github/workflows/zizmor.yml:22","Info: found token with 'none' permissions: .github/workflows/check-dist.yml:1","Info: found token with 'none' permissions: .github/workflows/dco.yml:1","Info: found token with 'none' permissions: .github/workflows/dependency-review.yml:1","Info: found token with 'none' permissions: .github/workflows/zizmor.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Warn: 'up-to-date branches' is disabled on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (27) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-15T05:22:28.276Z","repository_id":174871697,"created_at":"2025-08-15T05:22:28.276Z","updated_at":"2025-08-15T05:22:28.276Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32809151,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T08:22:46.396Z","status":"online","status_checked_at":"2026-05-09T02:00:06.633Z","response_time":123,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","github-actions","typescript"],"created_at":"2024-12-01T13:39:07.059Z","updated_at":"2026-05-09T06:12:57.773Z","avatar_url":"https://github.com/KineticCafe.png","language":"TypeScript","funding_links":["https://github.com/sponsors/halostatue","https://buymeacoffee.com/halostatue","https://ko-fi.com/halostatue"],"categories":[],"sub_categories":[],"readme":"# @KineticCafe/actions-dco\n\nEnforce the presence of commit sign-offs on pull requests, indicating that the\ncontributor to a project certifies that they are permitted to contribute to the\nproject. The sign-off line represents certification of the\n[Developer Certificate of Origin][dco].\n\n## Example Usage\n\n```yaml\nname: DCO Check\n\non:\n  pull_request:\n\npermissions: {}\n\njobs:\n  check:\n    permissions:\n      contents: read\n\n    runs-on: ubuntu-latest\n    steps:\n      - uses: KineticCafe/actions-dco@v3.0.0\n```\n\n## Versioning\n\nFrom version 3.0, only exact semantic version tags (`@v3.0.0`, `@v3.1.0`, etc.)\nwill be published. We no longer allow floating tags as part of our repository\nconfiguration.\n\n## Inputs\n\n- `repo-token`: The GitHub token for use with this action. It must have\n  permission to read pull request details. If `comment` is enabled in config,\n  add `pull-requests: write`.\n\n  Default: `${{ github.token }}`\n\n- `config`: Embedded TOML configuration (see [Configuration](#configuration)\n  below). This is the preferred way to configure the action.\n\n- `exempt-authors` (_deprecated_): A whitespace-separated list of email\n  exemption patterns. Use the `config` input instead. A deprecation warning will\n  be emitted when this input is used. This value will be ignored if present in\n  both action input and in the `config` input.\n\n## Configuration\n\nConfiguration is managed as inline TOML via the `config` input.\n\n### Minimal example\n\n```yaml\n- uses: KineticCafe/actions-dco@v3.0.0\n  with:\n    config: |\n      exempt-authors = [\"joe@example.net\", \"@example.com\"]\n```\n\n### Author Exemption\n\nCommit authors may be exempted by policy with implied sign-off on the DCO. This\nis a TOML list of email patterns. Two formats are allowed in this list:\n\n- Exact email addresses (`name@example.org`), matching only those author email\n  addresses\n\n- Domain patterns beginning with `@` (`@example.org`), matching any author email\n  address ending with that domain.\n\n`exempt-authors` are applied only for the commit _author_. The commit\n_committer_ cannot exempt other peoples' contributions.\n\n```toml\nexempt-authors = [\"joe@example.net\", \"@example.com\"]\n```\n\n### Trailer Parsing Strictness\n\nThe action now reads Git trailers like `git interpret-trailers` does, including\nproper handling of folded trailer values. The default behaviour is `\"strict\"`\nparsing and it may be configured with the `trailer-parsing` configuration\noption.\n\n- `trailer-parsing = \"strict\"`: Strict parsing. All trailers must be collected\n  in a single block with no blank lines:\n\n  ```gitcommit\n  feat: add widget\n\n  This implements the widget feature.\n\n  Reviewed-by: Bob \u003cbob@example.com\u003e\n  Signed-off-by: Alice\n    \u003calice@example.com\u003e\n  ```\n\n  If there were a blank line between `Reviewed-by` and `Signed-off-by`, the\n  `reviewed-by` trailer is not visible.\n\n- `trailer-parsing = \"lenient\"`: Lenient parsing. Trailer blocks may be\n  separated by blank lines:\n\n  ```gitcommit\n  feat: add widget\n\n  This implements the widget feature.\n\n  Reviewed-by: Bob \u003cbob@example.com\u003e\n\n  Signed-off-by: Alice\n    \u003calice@example.com\u003e\n  ```\n\nFor both parsing configurations, any non-trailer text prevents any trailers from\nbeing found:\n\n```gitcommit\nfeat: add widget\n\nThis implements the widget feature.\n\nReviewed-by: Bob \u003cbob@example.com\u003e\nSigned-off-by: Alice\n  \u003calice@example.com\u003e\n\nBody text after sign-off.\n```\n\nThe presence of \"Body text after sign-off\" prevents the trailers from being\nfound as they no longer \"trail\" the body.\n\n### Pull Request Comment\n\n`actions-dco` will now add or update a pull request comment if `comment = true`\nis present in the configuration. This is disabled by default, as it requires an\nadditional permission on the job token.\n\n```yaml\nname: DCO Check\n\non:\n  pull_request:\n\npermissions: {}\n\njobs:\n  check:\n    permissions:\n      contents: read\n      pull-requests: write # Track DCO results in a comment on the pull request\n\n    runs-on: ubuntu-latest\n    steps:\n      - uses: KineticCafe/actions-dco@v3.0.0\n        with:\n          config: |\n            commit = true\n```\n\n### Bot Configuration\n\n`actions-dco` versions 1 and 2 always exempted bot authors. As this may be\nundesirable with large model contributions, it is now possible to configure a\nbot policy. All controls are under the `bot` namespace.\n\n#### Policy (`bot.policy`)\n\n`bot.policy` may be set to one of four values and control the overall operation.\nThe default is `\"all\"`\n\n| Policy         | Behaviour                                                              |\n| -------------- | ---------------------------------------------------------------------- |\n| `\"all\"`        | All `type: \"Bot\"` commits are exempt (default)                         |\n| `\"none\"`       | No bots are exempt; all require valid sign-offs                        |\n| `\"well-known\"` | Only recognized bots are exempt, by category, enables `bot.categories` |\n| `\"allowlist\"`  | Only explicitly listed bot logins are exempt, enables `bot.allow`      |\n\n```toml\nbot.policy = \"all\"\n\n[bot]\npolicy = \"well-known\"\n```\n\n#### Well-Known Bot Categories (`bot.categories`)\n\nIf exemptions are made only for `well-known` bots, then the categories for\npermitted bots may be specified. If `bot.policy = \"well-known\"` with no\n`bot.categories`, all categories are assumed.\n\nSupported categories are:\n\n- `dependency-updaters`: `dependabot[bot]`, `renovate[bot]`, `snyk-bot[bot]`\n- `ci-cd`: `github-actions[bot]`\n- `release`: `semantic-release[bot]`, `release-please[bot]`\n\nAdditional categories may be added if required.\n\n#### Explicitly Allowed Bots (`bot.allow`)\n\nIf `bot.policy = \"allowlist\"`, then a list of explicitly permitted bot\n**logins** must be provided. These are _not_ email addresses on GitHub.\n\n```toml\nbot.allow = [\"dependabot[bot]\", \"semantic-release[bot]\"]\n```\n\n### Aliased Sign-offs\n\nyou can now also alias sign-offs to match the commit. This is _similar_ to the\ngit `mailmap` file. The `alias-signoffs.aliases` is a map of commit identity\nemails to the typically presented `Signed-off-by:` identity.\n\nFor example, Dependabot commits with\n`49699333+dependabot[bot]@users.noreply.github.com`, but signs off with\n`support@github.com`.\n\nThis applies to _all committers_, not just bots.\n\n```toml\n[alias-signoffs.aliases]\n\"49699333+dependabot[bot]@users.noreply.github.com\" = [\"support@github.com\"]\n```\n\n## How it works\n\nFor each commit in the pull request:\n\n1. Commits with multiple parents are skipped (they are merge commits);\n2. Commits by bots are checked against the configured bot policy.\n3. Identity extraction and validation verifies that at least one of the commit\n   _author_ and the commit _committer_ have both `name` and `email` values.\n4. When `signed-off-by` trailers are found, they are parsed and matched against\n   commit identities. Sign-off trailers must have both a name and a valid email\n   address.\n5. Without a `signed-off-by` trailer, the author email is checked against\n   exemption patterns.\n\n## PR Comments\n\nWhen `comment = true` is set in configuration, the action will create or update\na comment on the pull request with the DCO check results. This requires\n`pull-requests: write` permission:\n\n```yaml\npermissions:\n  pull-requests: write\n\nsteps:\n  - uses: KineticCafe/actions-dco@v3.0.0\n    with:\n      config: |\n        comment = true\n```\n\n## Migration from v2\n\n- The `exempt-authors` input still works but emits a deprecation warning. Move\n  to the `config` input with TOML format. If `exempt-authors` is present as both\n  an action input _and_ in the `config` TOML, a warning will be presented and\n  the action input _will be ignored_.\n\n- Bot exemption behaviour is unchanged by default (all bots exempt). Use\n  `bots.policy = \"well-known\"` or `\"none\"` for stricter control. Future versions\n  will change this to `\"well-known\"`.\n\n- The action now validates sign-off email addresses and requires both name and\n  email in the `Signed-off-by` trailer.\n\n## Licence\n\n[Apache License, version 2.0](LICENCE.md)\n\n[dco]: https://developercertificate.org\n[licence.md]: https://github.com/KineticCafe/actions-dco/blob/main/LICENCE.md\n[welcomes contributions]: https://github.com/KineticCafe/actions-dco/blob/main/CONTRIBUTING.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkineticcafe%2Factions-dco","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkineticcafe%2Factions-dco","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkineticcafe%2Factions-dco/lists"}